Tuesday, July 05, 2005

firewall-wizards digest, Vol 1 #1625 - 8 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Opinion: Worst interface ever. (StefanDorn@bankcib.com)
2. Re: Opinion: Worst interface ever. (Marcus J. Ranum)
3. Re: Opinion: Worst interface ever. (Paul D. Robertson)
4. Re: Opinion: Worst interface ever. (Dave Piscitello)
5. RE: Opinion: Worst interface ever. (Eugene Kuznetsov)
6. Re: Opinion: Worst interface ever. (Paul D. Robertson)
7. Re: Opinion: Worst interface ever. (StefanDorn@bankcib.com)
8. RE: Opinion: Worst interface ever. (Paul D. Robertson)

--__--__--

Message: 1
From: StefanDorn@bankcib.com
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: firewall-wizards@icsalabs.com
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
Date: Tue, 5 Jul 2005 09:01:54 -0500

> I can't even imagine trying to audit the "we'll pick the most exact
match"
> ruleset evaluation of one of these beasts. If I thought there was any
> chance the old software would work with the new box, I'd be loading that
> tomorrow. My "same vendor" rationale is right out the window- the two
> products aren't even close- other than the fact they're both red.

The 7.x series of software does this- precedence is based on how specific
each rule is. The most specific rules are evaluated first, and so on. Of
course, the software itself does nothing to show you the order they are
in. I think I recall reading that in the newer "Fireware Pro" software,
you can manually set precedence. Maybe it hasn't been implemented yet.

> While I'm ranting- what's with support hours from 9-6pm *at my
location*?
> Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
> scheduled for when the users are still working!

The good news is, they have a support forum with some pretty helpful
Watchguard people moderating it, and even a few customers who try to help
people out. Bad news is, I've yet to get a question completely answered
via their incident response system. Barring disaster, I generally try to
figure a problem out myself, since every time I contact support they
immediately request that I let them connect and play with the
configuration..which isn't going to happen. It makes me wonder if
outsourcing can really be worth it, considering the fact that it generally
results in customers getting irritated with it and then requesting a US
representative anyway. Why not just get it right the first time?

Stefan

--__--__--

Message: 2
Date: Tue, 05 Jul 2005 10:04:27 -0400
To: "Paul D. Robertson" <paul@compuwar.net>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
Cc: firewall-wizards@icsalabs.com

Paul D. Robertson wrote:
>I don't mind the optimization[1], I mind the fact that the UI won't tell
>me how the rules are optimized

That's the beauty of it. It can't. The UI can tell you the ruleset that
it gave the ASICs but the ASICs are gonna do what the ASICs decide
to do. And they're gonna be too busy, you know, passing packets
really FAST, to bother figuring out how to tell the UI what ruleset
they chose to enforce. Sure, you could put the optimization algorithm
up in software, too, so the UI could show you "this is what I think the
ASICs are doing.." but then valuable intellectual property (the
optimization algorithm) would be exposed in software where it could
be examined. Can't have that!

UI: "Here are some rules. Run them. Run them FAST"
ASICs: "OK. Here I go. I'm doing stuff."
UI: "What 'stuff' are you doing."
ASICs: "Sorry, I'm afraid I can't tell you that."
UI: "What do you mean? 'you can't tell me that'?"
ASICs: "Shut up, I'm busy shovelling packets. Hi ho, hi ho,...."
UI: "Hey! HEY! Did you 'optimize' those rules I gave you?!'"
UI: "Hello?"

mjr.

--__--__--

Message: 3
Date: Tue, 5 Jul 2005 10:16:07 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: StefanDorn@bankcib.com
Cc: firewall-wizards@icsalabs.com
Subject: Re: [fw-wiz] Opinion: Worst interface ever.

On Tue, 5 Jul 2005 StefanDorn@bankcib.com wrote:

> > I can't even imagine trying to audit the "we'll pick the most exact
> match"
> > ruleset evaluation of one of these beasts. If I thought there was any
> > chance the old software would work with the new box, I'd be loading that
> > tomorrow. My "same vendor" rationale is right out the window- the two
> > products aren't even close- other than the fact they're both red.
>
>
> The 7.x series of software does this- precedence is based on how specific
> each rule is. The most specific rules are evaluated first, and so on. Of

But what counts as specific? Is a port more or less specific than an
address? Is a protocol less specific than a user? If they do an ASIC
rev, is my happy little ruleset going to do something different if I have
to replace a box?

> course, the software itself does nothing to show you the order they are
> in. I think I recall reading that in the newer "Fireware Pro" software,
> you can manually set precedence. Maybe it hasn't been implemented yet.
>

I think their marketing department needs smacked. I didn't even start to
go on about having three interfaces in the box I can't use unless I pay
more money.

> > While I'm ranting- what's with support hours from 9-6pm *at my
> > location*?
> > Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
> > scheduled for when the users are still working!
>
> The good news is, they have a support forum with some pretty helpful
> Watchguard people moderating it, and even a few customers who try to help
> people out. Bad news is, I've yet to get a question completely answered
> via their incident response system. Barring disaster, I generally try to
> figure a problem out myself, since every time I contact support they
> immediately request that I let them connect and play with the
> configuration..which isn't going to happen. It makes me wonder if
> outsourcing can really be worth it, considering the fact that it generally
> results in customers getting irritated with it and then requesting a US
> representative anyway. Why not just get it right the first time?
>

I'm glad I'm not the only one left with that impression. I'm going to go
back over my personal evaluation criteria and tweak the support parts to
match what I see as good. I also think that I'm going to go back to
building more open source based firewalls- the idea behind a commercial
product is support and consistency. I'm not seeing good things in either
department.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 4
From: "Dave Piscitello" <dave@corecom.com>
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Tue, 05 Jul 2005 10:31:24 -0400
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
Reply-To: dave@corecom.com
Cc: firewall-wizards@honor.icsalabs.com

T

On 5 Jul 2005 at 9:25, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
> >The new Watchguard software "automatically" decides ruleset

This is not correct. If you CHOOSE, the policy manager will order the
ruleset for you. Manual mode is available in the details view. Right-
click any policy and you can switch to manual mode and move policies
in whatever order you wish

> >evaluation order, there's no easy way that I can find to figure
> >out what order something's going to be evaluated in.

I don't understand this comment. The help page explains exactly how
the policies are ordered, precedence actions, etc.

"Fireware Policy Manager automatically sorts policies from the most
detailed to the most general. Each time you add a policy, Policy
Manager compares the new rule with all the rules in your
configuration file. To set the precedence, Policy Manager uses these
criteria:

1. Protocols set for the policy type
2. Traffic rules of the To field
3. Traffic rules of the From field
4. Firewall action
5. Schedule
6. Alphanumeric sequence based on policy type
7. Alphanumeric sequence based on policy name...

<additional details not cut-pasted>

> When I suggested that they optimize the "deny all" default deny to the
> top of the sequence, because then it'd really scream - it took him a
> couple of seconds to laugh.

This is the policy order I have on my kids' subnet;-)

--__--__--

Message: 5
From: "Eugene Kuznetsov" <eugene@datapower.com>
To: "'Paul D. Robertson'" <paul@compuwar.net>,
<firewall-wizards@icsalabs.com>
Subject: RE: [fw-wiz] Opinion: Worst interface ever.
Date: Tue, 5 Jul 2005 10:44:18 -0400

I am not familiar with the WatchGuard interface, but I will say one general
thing in their defence -- this stuff is harder to do than it seems.

For every user like you, who's annoyed about the redesign, there's another
one who demanded that the UI be reworked in the first place: to make it more
intuitive for his preferred configuration, or to add options for new
features. I'll even go out on a limb and bet $5 that somewhere in the first
5 minutes of your ordeal, you took a wrong turn, and it all went downhill
from there. Had you taken a different path, it would've all been good.

Now, again, I don't know much about WG, they could be just awful. I just
know that "flexibility" and "ease-of-use" often work at cross-purposes and
it takes a whole lot of ingenuity, discipline and luck to pull it off. I
think we get it right with our products, most of the time, but it is not
easy.

So take this as a vendor perspective: it's not easy, especially since
customer requirements are increasingly diverging. More features --> more
complexity.

\\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
\\ DataPower Technology, Inc. : Web Services security
\\ http://www.datapower.com : XML-aware networks

--__--__--

Message: 6
Date: Tue, 5 Jul 2005 10:43:59 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Dave Piscitello <dave@corecom.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Opinion: Worst interface ever.

On Tue, 5 Jul 2005, Dave Piscitello wrote:

> This is not correct. If you CHOOSE, the policy manager will order the
> ruleset for you. Manual mode is available in the details view. Right-
> click any policy and you can switch to manual mode and move policies
> in whatever order you wish
>

Well, I didn't choose- it was just doing it. Thanks though, I'll see if
this helps in the "set up a rule and have it actually work" case- the
major difference I could see in my original non-working PAT rule and the
one that did work was one had port set to client and the other said it
didn't care about the port- which to me seems equivalent.

> > >evaluation order, there's no easy way that I can find to figure
> > >out what order something's going to be evaluated in.
>
> I don't understand this comment. The help page explains exactly how
> the policies are ordered, precedence actions, etc.

Help wasn't working for me, and the interface was having major issues on
an idle Server 2003 system (menu bar was floating above the window it
lived in.) Trying to figure out which rule was tripping the inbound
traffic really didn't end up helping anyway (logs said permitted, firewall
said ICMP port unreachable-) but I was frustrated by the lack of ability
to figure out why the system was generating unreachables for PAT or NAT
with a separate external address (I tried both) for one rule, but not for
another.

> "Fireware Policy Manager automatically sorts policies from the most
> detailed to the most general. Each time you add a policy, Policy
> Manager compares the new rule with all the rules in your
> configuration file. To set the precedence, Policy Manager uses these
> criteria:
>
> 1. Protocols set for the policy type
> 2. Traffic rules of the To field
> 3. Traffic rules of the From field
> 4. Firewall action
> 5. Schedule
> 6. Alphanumeric sequence based on policy type
> 7. Alphanumeric sequence based on policy name...
>
> <additional details not cut-pasted>
>
> > When I suggested that they optimize the "deny all" default deny to the
> > top of the sequence, because then it'd really scream - it took him a
> > couple of seconds to laugh.
>
> This is the policy order I have on my kids' subnet;-)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 7
From: StefanDorn@bankcib.com
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: firewall-wizards@icsalabs.com
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
Date: Tue, 5 Jul 2005 09:46:05 -0500

"Paul D. Robertson" <paul@compuwar.net> wrote on 07-05-2005 09:16:07 AM:

> But what counts as specific? Is a port more or less specific than an
> address? Is a protocol less specific than a user? If they do an ASIC
> rev, is my happy little ruleset going to do something different if I
have
> to replace a box?

A rule allowing connections from a specified IP over a specified port to a
specified IP and port will be considered overall more specific than
something allowing any IP to connect to a certain IP and port. As far as
protocol, I assume they aren't being included in the equation; for users,
two rules that are the same, but one specifying certain users should take
priority over the more general one, for those users. Basically, it seems
like anything that could be considered 'more specific' will add weight to
a rules' being processed ahead of another rule. They really just need
something added into the management UI that considers your rules, weighs
them in, and ranks them with the same logic as the firebox is using on
them.


> I think their marketing department needs smacked. I didn't even start
to
> go on about having three interfaces in the box I can't use unless I pay
> more money.

I was saddened when I found out that three of the ports are just for show
until I shell out more cash. When I purchase a piece of hardware, I expect
to be able to use the features that are available on it. If I need an
upgrade, I expect to buy an expansion card, or a new unit. Since the
Fireware Pro package allows for multiple WAN connections and fail-over
options, the interface upgrade cost is just another item that will hold me
back on upgrading to Fireware.

> I'm glad I'm not the only one left with that impression. I'm going to
go
> back over my personal evaluation criteria and tweak the support parts to
> match what I see as good. I also think that I'm going to go back to
> building more open source based firewalls- the idea behind a commercial
> product is support and consistency. I'm not seeing good things in
either
> department.

In all fairness, I think WatchGuard is trying pretty hard to create a good
product. The WFS series of management software seems oriented towards
people just starting to get involved with enterprise grade firewall
administration, and in the grand scheme of things is pretty easy to get up
and running, albeit only modestly secure if the admin doesn't know what
they are doing. (But that's user error, not really WatchGuard's fault.)
With the Fireware Pro line, they definitely are attempting to create a
package geared towards more expert users. I can appreciate that, but I
think I'm going to let it mature a while longer before I consider using it
in a production environment.

Stefan

--__--__--

Message: 8
Date: Tue, 5 Jul 2005 11:08:04 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Eugene Kuznetsov <eugene@datapower.com>
Cc: firewall-wizards@icsalabs.com
Subject: RE: [fw-wiz] Opinion: Worst interface ever.

On Tue, 5 Jul 2005, Eugene Kuznetsov wrote:

> I am not familiar with the WatchGuard interface, but I will say one general
> thing in their defence -- this stuff is harder to do than it seems.

Sure, but while the old interface was ugly, it was intuitive- and
consistency is important.

> For every user like you, who's annoyed about the redesign, there's another
> one who demanded that the UI be reworked in the first place: to make it more
> intuitive for his preferred configuration, or to add options for new

Sure, when a vendor goes from "intuitive and simple" to "where the heck is
this thing failing, all the things the manual says are done?" I think it's
bad.

> features. I'll even go out on a limb and bet $5 that somewhere in the first
> 5 minutes of your ordeal, you took a wrong turn, and it all went downhill
> from there. Had you taken a different path, it would've all been good.

One of my coworkers had the same issue, so I'm guessing that it's not all
that intuitive where that turn was. It's frustrating to go from "hey,
this product is good" to "hey, this revision is bad!"

I'm really starting to dislike the "interface can't run locally on the
device" stuff when coupled with "won't log on the device."

> So take this as a vendor perspective: it's not easy, especially since
> customer requirements are increasingly diverging. More features --> more
> complexity.

Hey, I didn't ask for more features, someone's marketing department did!
I'm mostly upset at myself for assuming that the new version would be an
incramental improvement of the old, not something that two of us had
serious issues with despite following the instructions in the manual.

I'm also going to add a new vendor test to my criteria- if I can't get
read-only access to the support site without a login, that vendor's off my
list.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments:

Post a Comment